TRACER KITTEN's Sophisticated Attack on EMEA Telecommunications Network

In April 2020, Iran-based threat actor TRACER KITTEN targeted a telecommunications company in the EMEA region, leveraging valid credentials and custom backdoors for persistent access and C2 communications. The adversary employed SSH tunnels, masqueraded tools, and rogue Windows services to evade detection. Credential theft attempts involved LSASS dumps via comsvcs.dll and a modified Mimikatz. Reconnaissance was extensive, using native Windows tools to enumerate users, groups, and services, followed by a pass-the-hash attempt with Invoke-TheHash. Early detection allowed defenders to mitigate potential data exfiltration.